feat(planner): sanitize heroImageUrl before embedding in CSS url()

Extracts sanitizeForCssUrl helper that strips '"()\ before the URL
is embedded in url("..."). Prevents CSS injection via the hero image
field in inline style bindings.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/planner/DesktopDayTile.svelte

@@ -2,6 +2,7 @@
 	import EmptyDayTile from './EmptyDayTile.svelte';
 	import { formatDayAbbr } from '$lib/planner/week';
 	import type { Recipe, Slot, Suggestion } from '$lib/planner/types';
+	import { sanitizeForCssUrl } from '$lib/planner/DesktopDayTile.utils';
 
 	let {
 		slot,
@@ -67,7 +68,7 @@
 
 	const gradientBackground = $derived((() => {
 		if (!slot.recipe) return 'var(--color-surface)';
-		if (slot.recipe.heroImageUrl) return `url(${slot.recipe.heroImageUrl})`;
+		if (slot.recipe.heroImageUrl) return `url("${sanitizeForCssUrl(slot.recipe.heroImageUrl)}")`;
 		const proteinTag = slot.recipe.tags?.find((t) => t.tagType === 'protein');
 		if (proteinTag?.name) {
 			return `var(--gradient-protein-${toCssKey(proteinTag.name)})`;